Hugging Face Audit Logs
The Hugging Face Hub audit log records user and system actions across your organization, including repository management, membership and access control changes, SSO and OAuth events, billing changes, and Spaces and Jobs activity. These logs help security and compliance teams maintain audit trails, monitor administrative activity, and build detections on access to your Hugging Face resources.
Ingest Methods
Setup the ingestion of this source using one of the following guides.
API Polling
Hugging Face supports API polling to collect audit log events from your organization via the audit-log export endpoint (GET /api/organizations/{name}/audit-log/export).
Setup
- Go to Sources in RunReveal
- Click the Hugging Face source tile
- Give it a name
- Fill in your Organization name and an Access Token
- Click Connect Source
Access Token Configuration
Prerequisites:
- You must be an organization admin on a Team or Enterprise plan. The audit-log export endpoint is only available to these plans.
Creating the Access Token:
- Sign in to huggingface.co as an organization admin
- Navigate to Settings → Access Tokens
- Click Create new token with read access to your organization
- Copy the token — it will only be displayed once
Team or Enterprise Required: The audit-log export endpoint requires an organization admin on a Team or Enterprise plan. If requests return an authorization error, confirm the token belongs to an admin and that your organization is on a supported plan.
Collected Events
Hugging Face audit events follow a scope.action naming convention. RunReveal stores the event type in the eventName field. Scopes include:
- org — membership, roles, invitations, SSO login/join, settings, token approval, and security configuration changes (e.g.
org.add_user,org.remove_user,org.sso_login,org.update_settings) - repo — repository lifecycle, secrets and variables, settings, and trusted publishers (e.g.
repo.create,repo.delete,repo.move,repo.update_settings) - collection — collection create and delete events
- spaces — storage, volumes, hardware, and sleep-time changes
- resource_group — resource group lifecycle and membership changes
- jobs / scheduled_job — job creation, cancellation, and schedule changes
- billing — subscription, payment method, and marketplace changes
- oauth — OAuth token activity
Event Data Structure
Each audit event includes:
- Event ID and Type — Unique identifier (
_id) and event type (type) - Timestamp — When the action occurred (
createdAt, RFC 3339) - Actor Information — Author username, ID, and type
- Network Context — Source IP address and resolved location (country, city)
- Token Context — When applicable, the token type, role, and last 4 characters used for the action
Data Collection
- Collection Method: API polling every 5 minutes
- Backfill: On first connection RunReveal ingests all available audit history (the export returns up to the last 100,000 events)
- Event Format: JSON with normalized fields for consistent querying
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: huggingface_logs (51 columns)
huggingface_logs (51 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
| Column | Type |
|---|---|
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
auditID | String |
eventType | String |
message | String |
authorID | String |
authorUser | String |
authorType | String |
actorIP | String |
locationFormatted | String |
locationCountry | String |
locationCity | String |
tokenType | String |
tokenID | String |
tokenRole | String |
tokenLast4 | String |
tokenDeleted | Bool |
Helpful Links
- Hugging Face Audit Logs - Overview of the organization audit log and available event types
- Hugging Face Hub API - Hub REST API reference
- Access Tokens - Creating and managing access tokens